The management of public funds, assets, programs, and services requires an oversight system that ensures all resources are used responsibly. One instrument that plays a crucial role in this process is the public sector internal audit.
Internal audit This function is not only used to identify administrative errors or regulatory non-compliance. This function also helps organizational leaders assess the effectiveness of internal controls, identify risks, improve performance, and ensure that programs provide appropriate benefits to the community.
Understanding the fundamentals of public sector internal auditing is becoming increasingly important as organizations face regulatory changes, increased demands for transparency, digital transformation, and increasingly complex risks of misconduct.
What is Public Sector Internal Audit?
Public sector internal audit is an independent examination and evaluation process conducted from within an organization to provide assurance regarding the effectiveness of governance, risk management, control, compliance, and the achievement of the public organization's objectives.
These activities are not limited to examining financial transactions. Internal auditors can also evaluate program management, budget utilization, procurement of goods and services, information technology, public services, asset management, compliance, and the effectiveness of risk mitigation.
In government agencies, audits are part of broader internal oversight. These oversight activities can include audits, reviews, evaluations, monitoring, and other oversight activities.
Thus, internal audits serve as a strategic tool for leaders. Audit results provide information on the organization's actual condition, the causes of problems, potential impacts, and necessary corrective actions.
Understanding the Basics of Public Sector Internal Audit
The fundamentals of public sector internal auditing extend beyond audit techniques. Auditors must also understand the characteristics of the public sector, its authority structure, funding sources, regulations, and the organization's responsibilities to the public.
The following are the principles underlying its implementation.
Accountability and Public Interest
Public sector organizations manage resources that mostly come from the state, regions, communities, or other sources related to the public interest.
Therefore, every program and use of resources must be accountable. Internal auditors need to assess whether the organization's activities have produced results consistent with its objectives, policies, and the public interest.
Accountability doesn't just mean complete documentation. Organizations also need to demonstrate that budgets and resources are used economically, efficiently, and effectively, and that they deliver measurable benefits.
Auditor Independence and Objectivity
Internal Auditor within the organization, but must remain capable of making objective assessments. Auditors must not be influenced by personal interests, pressure from certain parties, or direct involvement in the activities being audited.
Independence can be strengthened through:
- adequate position of the audit unit;
- clear reporting lines;
- access to information and personnel;
- protection from intervention;
- disclosure of potential conflicts of interest; and
- direct communication with leadership or supervisory bodies.
Without adequate independence, audit results risk losing credibility and being unable to objectively describe the condition of the organization.
Risk-Based Audit Approach
Public sector internal audits should not simply follow routine audit cycles. Audit planning need to consider the risk level of each program, process, work unit, or object of supervision.
A risk-based approach helps auditors prioritize resources on areas that have the potential to have the greatest impact on achieving organizational objectives.
Some factors that can be used in risk assessment include:
- value of budget or assets managed;
- level of program complexity;
- changes in policy or regulation;
- history of previous findings;
- internal control weaknesses;
- risk of fraud and conflict of interest;
- dependence on technology; and
- the magnitude of the impact on public services.
With this approach, audits can be more relevant to actual risks, rather than simply completing an annual checklist.
Audit Evidence and Documentation
Audit conclusions must be supported by sufficient, relevant, reliable, and verifiable evidence. Evidence can come from documents, transaction records, observations, interviews, confirmations, system testing, and data analysis.
Auditors need to document procedures, samples, tests, analytical results, and professional judgment in audit working papers.
Complete documentation is important for:
- support conclusions and recommendations;
- facilitate the supervision process;
- maintaining methodological consistency;
- become the basis for quality review;
- provide an audit trail; and
- assist in the implementation of the next audit.
Follow-up Monitoring
The audit process isn't complete when the report is issued. The value of an audit is only realized when the recommendations result in tangible improvements.
Internal auditors need to monitor whether relevant units have implemented follow-up plans within the targeted timelines. Monitoring should also assess whether these actions truly address the root cause of the problem, not simply fulfill administrative requirements.
Public Sector Internal Audit Foundations and Standards
The implementation of public sector internal audits must take into account regulations, professional standards, and the characteristics of the organization where the auditor works.
In the context of Indonesian government agencies, one of the main foundations is Government Regulation Number 60 of 2008 concerning the Government Internal Control System or SPIP.
In addition, government auditors need to pay attention to the applicable Indonesian Government Internal Audit Standards or SAIPI, auditor code of ethics, peer review guidelines, and other technical provisions issued by authorized institutions.
At the global level, internal audit practices also refer to the Global Internal Audit Standards published by the Institute of Internal Auditors. These global standards address five key domains:
- internal audit objectives;
- ethics and professionalism;
- governance of internal audit function;
- management of internal audit functions; and
- implementation of internal audit services.
However, the implementation of global standards in the public sector must still be adjusted to the regulations, government structures, funding systems, and governance that apply in Indonesia.
Organizations also need to pay attention to sectoral regulations. State-owned enterprises (BUMN), regional-owned enterprises (BUMD), service agencies, public financial institutions, and community service entities may have additional regulations governing internal oversight functions.
Objectives of Public Sector Internal Audit
In general, public sector internal audits aim to provide added value and help organizations achieve their goals.
These objectives can be described as follows.
1. Strengthening Accountability
Audits help ensure that decisions, budget use, and program implementation are accountable to management, supervisory bodies, regulators, and the public.
2. Assessing the Effectiveness of Internal Control
Auditors evaluate whether controls have been adequately designed and implemented to prevent errors, misuse, loss of assets, or non-compliance.
3. Improve Organizational Performance
Performance audits help assess whether programs have been implemented economically, efficiently, and effectively.
The results can be used to improve processes, reduce waste, simplify procedures, and improve service quality.
4. Ensuring Compliance
Auditors assess the conformity of an organization's activities to laws and regulations, internal policies, operational standards, contracts, and other relevant provisions.
5. Supports Risk Management
Audits provide an independent assessment of the effectiveness of risk identification, analysis, mitigation, and monitoring processes.
Auditors can also provide early warnings when they discover new risks that could potentially hinder the achievement of objectives.
See also: Risk Management: Definition, Objectives, and Stages
6. Prevent and Detect Fraud
Internal audits can help identify control weaknesses that open up opportunities for fraud to occur. fraud, conflict of interest, abuse of authority, or data manipulation.
Although the responsibility for fraud prevention does not rest solely with auditors, the audit function plays a role in evaluating the effectiveness of an organization's prevention and response systems.
7. Provide Recommendations for Improvement
Audit findings must be translated into realistic, measurable, and actionable recommendations. Recommendations should focus on addressing the root cause, not simply addressing the symptoms.
Who Conducts Public Sector Internal Audits?
Internal audit implementers can differ depending on the form of the organization.
| Organizational Environment | Internal Audit Function Implementer | Primary Focus |
|---|---|---|
| Central government | BPKP, Inspectorate General, Main Inspectorate, or similar supervisory unit | Governance, accountability, risk, control, compliance and performance |
| Local government | Provincial Inspectorate and Regency/City Inspectorate | Supervision of the implementation of regional government and programs |
| State-Owned Enterprises and Regionally-Owned Enterprises | Internal Audit Unit or internal audit | Corporate governance, operations, finance, risk and compliance |
| Service agencies and other public organizations | Internal audit unit, SPI, or compliance unit according to organizational structure | Control, quality of service, resource utilization, and compliance |
In government agencies, these supervisory units are known as Government Internal Supervisory Apparatus or APIP.
Internal auditors are distinct from those responsible for running operations. Management remains the risk owner and responsible for internal controls. Auditors provide an independent assessment of whether these risks and controls have been adequately managed.
Scope of Public Sector Internal Supervision
The scope of internal control can include the following areas.
Performance Audit
Performance Audit assess whether an activity or program has been implemented economically, efficiently and effectively.
The audit not only focuses on the amount of budget used, but also the relationship between resources, outputs, results, and program benefits.
Audit with Specific Purposes
This audit is conducted to address specific objectives or issues. Its scope may relate to compliance, suspected irregularities, procurement, asset management, or other specific areas.
Review of Reports and Documents
A review provides limited assurance about the reliability of a report, process, or document. One example is a review of financial statements before they are submitted to stakeholders.
Program Evaluation
Evaluation is conducted to assess the design, implementation, results, and sustainability of a policy or program.
Auditors can check the suitability of indicators, effectiveness of implementation, obstacles, and impact of the program on target groups.
Monitoring
Monitoring aims to monitor the progress of program implementation, follow-up on recommendations, or implementation of a policy on a regular basis.
Information Technology Audit
Information technology audits evaluate the security, reliability, availability, data integrity, access management, and effectiveness of information systems.
This area is increasingly important as many public sector services and administrative processes have become reliant on digital systems.
Procurement and Asset Oversight
Procurement of goods and services and asset management have relatively high financial, operational, compliance and fraud risks.
Auditors can assess the process of needs planning, supplier selection, contract implementation, work acceptance, payment, recording, and asset utilization.
Consulting Services
In addition to providing assurance, internal auditors can provide consulting on governance, risk, and control.
However, auditors must maintain objectivity and not take over management's responsibility in making or carrying out operational decisions.
Differences between Internal Audit and External Audit in the Public Sector
Internal and external audits both contribute to accountability, but have different positions and objectives.
| Aspect | Internal Audit | External Audit |
|---|---|---|
| Position | Located within the organization's internal oversight structure or ecosystem | Being outside the organization being audited |
| Executor | APIP, SPI, or internal audit unit | External audit institutions according to their authority |
| Purpose | Helping leaders improve governance, risk, control and performance | Provide independent audits or opinions for external stakeholders |
| Execution time | Can be done continuously throughout the year | Generally follows a specific inspection period and mandate |
| Scope | Can include operations, compliance, technology, risk, and performance. | Determined by the mandate and objectives of the external audit |
| Follow-up | Monitored together with management on an ongoing basis | Completed according to the inspection results follow-up mechanism |
In managing state finances, the Supreme Audit Agency (BPK) carries out external audit functions. Meanwhile, the government's internal oversight function is carried out by the Public Accountability Agency (APIP).
The two are not interchangeable. Internal audit helps strengthen the organization from within, while external audit provide an independent external assessment.
7 Stages of Public Sector Internal Audit
The audit process can be tailored to the methodology and characteristics of the organization. However, in general, the process includes the following steps.
1. Determine the Object and Objectives of the Audit
The auditor determines the program, process, unit, system, or activity to be audited. The selection of the object should be based on the organization's risk assessment and priorities.
Audit objectives must be formulated specifically so that the auditor can determine the appropriate scope, criteria, resource requirements, and procedures.
2. Conduct a Preliminary Survey
A preliminary survey is conducted to understand business processes, organizational structure, regulations, risks, controls, data, and previous audit results.
At this stage, the auditor may conduct initial interviews, review documents, map process flows, and identify areas requiring further testing.
3. Compile Audit Work Program
The work program contains the procedures to be carried out to achieve the audit objectives.
The document typically includes:
- testing objectives;
- the risks examined;
- audit criteria;
- evidence collection methods;
- sampling techniques;
- person in charge of procedures; and
- target implementation time.
4. Conduct Testing and Collect Evidence
Auditors conduct testing through document examination, observation, interviews, confirmation, transaction testing, data analysis, or system testing.
Each test result must be documented in the audit working papers.
5. Compiling and Discussing Findings
A good audit finding should at least explain:
- condition, namely the conditions found;
- criteria, namely the state that should be;
- reason, namely factors that cause differences;
- impact, namely the risks or consequences that occur; and
- recommendation, namely the recommended corrective action.
Findings need to be discussed with relevant parties to ensure factual accuracy and obtain management response.
6. Submit Audit Reports
Reports must be delivered clearly, objectively, concisely, constructively and in a timely manner.
The report content generally includes objectives, scope, methodology, conclusions, findings, recommendations, management responses, person responsible for follow-up, and completion targets.
7. Monitor Follow-up Plans
Auditors monitor the progress of the action plan and verify evidence of its completion.
Follow-up status can be classified into:
- not started yet;
- is being implemented;
- completed but not yet verified;
- completed and verified;
- past the target time; or
- cannot be followed up for justifiable reasons.
Consistent monitoring helps prevent repeat findings and ensures recommendations have a real impact.
Challenges of Implementing Public Sector Internal Audits
Public sector internal audit faces different characteristics and constraints than commercial organizations.
1. Regulatory Complexity
Public agencies must comply with various regulations that are subject to change and are interrelated. Auditors need to continually update their understanding of relevant provisions.
2. Breadth of the Audit Universe
A single organization can manage multiple programs, work units, regions, assets, and systems. Auditor limitations make it impossible to examine all objects with equal intensity.
Therefore, organizations need risk-based audit planning.
See also: Know what the Audit Universe, benefits, procedures, and examples
3. Limitations of Independence
The position of the audit unit, the process of appointing leaders, access to information, or pressure from certain parties can influence the auditor's objectivity.
4. Fragmented Data
Audit documents are often scattered across spreadsheets, emails, applications, and physical files. This slows evidence collection and makes it difficult to trace audit history.
5. Slow Follow-up
Recommendations may be delayed due to a lack of clear accountability, unrealistic targets, budget constraints, or weak monitoring.
6. Competency Gap
Technological changes, fraud patterns, data analysis, cybersecurity, and program complexity require ever-evolving competencies.
How to Improve the Effectiveness of Public Sector Internal Audits
Here are some steps that organizations can implement.
1. Strengthening the Mandate and Position of Internal Audit
Organizations need to have a clear audit charter, authority, scope, reporting lines, and access rights.
2. Implement Risk-Based Planning
Audit priorities should be determined based on strategic, operational, financial, compliance, technology, and reputational risks.
3. Standardize Methodology and Working Papers
Consistent templates and procedures help improve the quality of documentation, supervision, and reporting.
4. Improving Auditor Competence
Competency development can include performance audits, procurement, investigations, data analysis, information security, communications, and risk management.
5. Using Data Analysis
Data analysis helps auditors test broader populations, find unusual transactions, and identify risk patterns that are difficult to find through manual sampling.
6. Improve the Quality of Recommendations
Recommendations should consider the root cause, level of risk, organizational capabilities, implementation costs, and expected outcomes.
7. Establish a Follow-up Mechanism
Each recommendation needs to have an action owner, time target, proof of completion, status, and escalation mechanism.
8. Implement Quality Assurance and Improvement
The internal audit function needs to evaluate its quality through supervision, internal evaluation, peer review, performance measurement, and continuous improvement of methodology.
The Role of Technology in Public Sector Internal Audit
Using email and spreadsheets can still facilitate simple processes. However, these methods become increasingly difficult when an organization has multiple auditors, work units, programs, evidence, findings, and action plans.
Audit management applications can help organizations in the following aspects.
Centralization of Audit Universe and Risk
Data on work units, programs, processes, risks, and audit history can be managed in a single system. Auditors gain a more complete picture when setting oversight priorities.
Risk-based Audit Planning
Technology helps compare risk levels, audit coverage, auditor resources, and engagement schedules.
Work Program and Paper Management
Auditors can use standardized templates, assign tasks, upload evidence, record test results, and monitor completion of procedures.
Collaboration and Supervision
Team leaders and technical controllers can monitor work status, provide review notes, and spot obstacles without waiting for the entire document to be compiled manually.
More Consistent Reporting
Data from working papers, findings, and recommendations can be used to help compile reports more quickly and consistently.
Follow-up Monitoring
Management and auditors can view the action plan status, time targets, responsible parties, evidence of completion, and recommendations that have passed the deadline.
However, technology does not replace the auditor's professional judgment. Applications serve as tools to improve the consistency, traceability, collaboration, and efficiency of the audit process.
Conclusion
Public sector internal audit is a strategic function that helps organizations maintain accountability, improve performance, manage risk, and strengthen internal controls.
Implementation requires more than just periodic audits. Organizations need an independent auditing position, competent auditors, a risk-based methodology, sufficient evidence, relevant recommendations, and consistent follow-up monitoring.
By understanding the fundamentals of public sector internal auditing and leveraging technology appropriately, the audit function can evolve from an administrative examiner to a strategic partner that helps organizations deliver public services and benefits more effectively.
Frequently Asked Questions
What is meant by public sector internal audit?
Public sector internal auditing is an independent assurance and consulting activity conducted to assess the governance, risk management, control, compliance, and performance of public organizations. The goal is to help leaders improve processes and increase accountability to the public.
Who conducts internal audits in government agencies?
Internal audits within government agencies are carried out by the Government Internal Audit Apparatus (APIP). APIP includes the BPKP (Financial Supervisory Agency), the Inspectorate General or similar units, the Provincial Inspectorate, and the Regency/City Inspectorate, as appropriate.
Does public sector internal audit only examine finances?
No. Internal audits can also cover program performance, compliance, operations, information technology, procurement, asset management, risk management, internal controls, and follow-up monitoring.
What is the difference between an internal audit and a BPK audit?
Internal audits are conducted by the APIP (Regional Audit Agency) or supervisory unit within the organization's ecosystem to assist leaders in improving governance and performance. The Supreme Audit Agency (BPK) is an external audit institution with constitutional authority to audit the management and accountability of state finances.
Can audit applications replace internal auditors?
No. Audit applications do not replace the auditor's professional competence and judgment. Technology helps manage planning, workpapers, evidence, findings, reporting, and follow-up to make the audit process more consistent, efficient, and easily monitored.
Digitizing the Internal Audit Process with Audithink
Managing audits through separate documents can complicate coordination, supervision, reporting, and follow-up monitoring.
Audithink helps organizations integrate audit processes from risk assessment, planning, work program preparation, implementation, reporting, to monitoring action plans in one platform.
Support a more systematic, measurable, and easily monitored internal audit process together Audithink.
Want to see how Audithink can be tailored to your organization's monitoring needs? Schedule a demo of the Audithink app and discuss your needs with a Product Expert.
